ML Security PapersRAG-WM: An Efficient Black-Box Watermarking Approach for Retrieval-Augmented Generation of Large Language Models
Peizhuo Lv 1, Mengjie Sun 1, Hao Wang 1,2, Xiaofeng Wang 3, Shengzhi Zhang 4, Yuxuan Chen 2, Kai Chen 1, Limin Sun 1
Published on arXiv
2501.05249
Model Theft
OWASP ML Top 10 — ML05
Key Finding
RAG-WM reliably detects stolen RAG knowledge bases when re-deployed with arbitrary LLMs and remains robust against four categories of adversarial removal attacks while evading watermark detection countermeasures.
RAG-WM
Novel technique introduced
In recent years, tremendous success has been witnessed in Retrieval-Augmented Generation (RAG), widely used to enhance Large Language Models (LLMs) in domain-specific, knowledge-intensive, and privacy-sensitive tasks. However, attackers may steal those valuable RAGs and deploy or commercialize them, making it essential to detect Intellectual Property (IP) infringement. Most existing ownership protection solutions, such as watermarks, are designed for relational databases and texts. They cannot be directly applied to RAGs because relational database watermarks require white-box access to detect IP infringement, which is unrealistic for the knowledge base in RAGs. Meanwhile, post-processing by the adversary's deployed LLMs typically destructs text watermark information. To address those problems, we propose a novel black-box "knowledge watermark" approach, named RAG-WM, to detect IP infringement of RAGs. RAG-WM uses a multi-LLM interaction framework, comprising a Watermark Generator, Shadow LLM & RAG, and Watermark Discriminator, to create watermark texts based on watermark entity-relationship tuples and inject them into the target RAG. We evaluate RAG-WM across three domain-specific and two privacy-sensitive tasks on four benchmark LLMs. Experimental results show that RAG-WM effectively detects the stolen RAGs in various deployed LLMs. Furthermore, RAG-WM is robust against paraphrasing, unrelated content removal, knowledge insertion, and knowledge expansion attacks. Lastly, RAG-WM can also evade watermark detection approaches, highlighting its promising application in detecting IP infringement of RAG systems.
Key Contributions
- RAG-WM: a black-box 'knowledge watermark' framework that injects watermark entity-relationship tuples as synthetic documents into a RAG knowledge base to enable IP ownership verification without requiring white-box access
- Multi-LLM interaction pipeline (Watermark Generator, Shadow LLM & RAG, Watermark Discriminator) that crafts semantically coherent yet detectable watermark texts robust to LLM post-processing
- Demonstrated robustness against removal attacks including paraphrasing, unrelated content removal, knowledge insertion, and knowledge expansion across three domain-specific and two privacy-sensitive tasks on four benchmark LLMs
🛡️ Threat Analysis
The paper's primary contribution is IP ownership protection of RAG systems against theft. The threat model is an adversary who steals a valuable RAG knowledge base and re-deploys it commercially. RAG-WM injects verifiable ownership watermarks into the knowledge base to enable black-box infringement detection — this maps directly to ML05's 'model watermarking to prove ownership of a stolen asset', applied to a RAG system rather than raw model weights.